Massive Spam Shot of "Storm Trojan"

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

yep...

[Churla (936633)]

My AVG seems to have quarantined a couple of these yesterday.

Nope

[winkydink (650484)]

I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats [trendmicro.com] don't show any major jump in activity either.

I have seen a couple of copies of the spam itself, but nothing major.

Re:

[TFGeditor (737839)]

"I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats don't show any major jump in activity either."

I hope you are right, because I have had an epiphany and am now one of those who decry the "clueless users/lusers" responsible for letting their machines become infected and recruited into botnets.

I used to have sympathy for them, but as botnets proliferate and my mail servers get pounded even

Re:

[winkydink (650484)]

Rumor has it that Postini is close to filing their S1 (i.e., getting ready to go public). Coincidence? Hmmm....

Re:Nope

[Ilgaz (86384)]

I choose to report my spam instead of ignoring so believe or not, I saw a single Canadian IP spamming (sending that worm) to 3 different mailboxes which has nothing to do with eachother. I even added to spamcop.net report comment "Please take care of this IP" and added the kaspersky virus ID. Guess what happened in return? A kind "thank you we took care of it" from Canadian ISP? No, 2 more spams from same IP! :)

I have checked the senderbase.org entry and it says like 3500% volume increase over 1 day from that IP!

Still, as old timer I feel uncomfortable posting the IP on web whether it is spammer/worm infected or not. I mean that worm really took off, perhaps the owner of botnet finally accepted the price offered by mob,mafia whatever using it. Yet again, no worries, Clam detects even without opening that password protected zipped junk.

Another day in the world of near-monoculture.

[jcr (53032)]

After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

The person to bring this suit would need to be someone who's not a licensee of any MS products, but has suffered losses from their network getting DOS'd by Windows zombies trying to trade copies of the malware of the hour.

-jcr

Re:Another day in the world of near-monoculture.

[grub (11606)]

Microsoft is to computers what Philip Morris is to lungs.
Woo, a new quote! :))

Re:

[grub (11606)]

s/what/as/g

Re:

[Hoi Polloi (522990)]

Microsoft is to viruses/trojans as Europe was to the Black Plague

Re:Another day in the world of near-monoculture.

[baryon351 (626717)]

After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

Who said it's Windows malware?

(yeah, OK, I was trying to be funny...)

Re:

[baryon351 (626717)]

I hadn't read the computerworld article before posting the above comment. Sadly, now I have, I notice it doesn't mention which OS the trojan runs on.

If I weren't so tired atm I'd have something deep and witty to say about that, but all I can do is shake my head.

Re:Another day in the world of near-monoculture.

[SomeoneGotMyNick (200685)]

I notice it doesn't mention which OS the trojan runs on.

**** COMMODORE 64 BASIC V2.0 ****

Re:

[powerlord (28156)]

You mean there is more then one OS? You must mean XP and Vista, right? ;)

(posted from Linux, by way of a tunneled session from OSX)

Re:

[Opportunist (166417)]

Probability and experience say it. And I usually listen to those guys.

Re:

[gvc (167165)]

Who said it's Windows malware?

Um, the payload is a .exe file. [symantec.com]

I thought I'd be a smart-ass and show you that it didn't run on Linux. But, damn! I have Wine installed.

./News.exe Could not stat /mnt/cdrom (No such file or directory), ignoring drive D:
err:win32:PE_fixup_imports No implementation for lz32.dll.2(LZCloseFile) imported from F:\News.exe, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

Re:Another day in the world of near-monoculture.

[MightyYar (622222)]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

If anyone should be sued, it should be the ISPs who allow zombies to sit there on their network. I don't like lawsuits, and would prefer to see some government incentive used to compel ISPs to remove the zombies.

Re:

[jimstapleton (999106)]

Very true...

The biggest security risk is shared by all operating systems and hardware setups because it's not part of the computer.

It's the lump of carbon, water, and other trace elements/compounds between the keyboard and the chair.

Re:

[secolactico (519805)]

The problem is, they are not the only ones who get it.

The poor schmucks with an email who receive the spam are the ones who get it, as well as the poor schmucks who administer an e-mail system that now has to contend with the extra load.

Re:

[blueZhift (652272)]

Shutting down zombies would definitely slow this stuff down. I know that in the past at least, some universities would cut off network access for computers that were apparently compromised. I don't know if this is the case at the majority of schools though. Sadly, it probably will take legislation to force ISPs to cut off zombies from their networks. I don't know why they don't do this already. Do these zombies help their bottom line, or is it less costly to keep them on the network to avoid fielding custom

Too much privilege!

[spaceyhackerlady (462530)]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

Actually, there is a technical flaw, not just a human engineering one. The system allows users to install software, with global system implications, with no confirmation. My Mac confirms such things with me, and seems to get it right. My Linux box won't let me touch the global system configuration at all unless I su to root.

This has always been the problem. I recognize that there is incompetent Windows software out there that won't run without Administrator privileges, but that's another issue. If you really need privilege to do something (like change your password), others systems have ways of temporarily elevating privilege. Like suid on Unix.

...laura

Re:

[Feanturi (99866)]

My Mac confirms such things with me,

That's great, so when you're doing something that you feel really needs to be done, such as protecting your computer from the nasty botnet it is reportedly a part of, or your email will be cut off, you'll click through those prompts to get that patch in. Well maybe not you personally, but you and I are not the common masses.

Vista has the "Cancel or Allow" thingy going now. Do they need to extend it, would that really help?

"Hmm I need to run this patch like the email says,

computer IQ test?

[Bill, Shooter of Bul (629286)]

That is absolutely true. I guess the only real solution I can think of is require some sort of computer IQ test, instead of cancel or allow.

Are you sure you want to do this?

"YES"

OK what is the end result of this computation 15 XOR 24 ?

" UM 17?"

No, please call your son to ask permission to perform this operation.

Re:

[alphamugwump (918799)]

All right. You did it. I finally snapped. Here goes my karma.

Why the fuck do people keep bashing the UAC? What the fuck is wrong with finally having a real "sudo" in windows? Instead of having to run as administrator all the time, you can now escalate when you want to. Microsoft finally adds better security, and all the whiners come out of the woodwork.

This sort of shit reminds me of my uncle, who thinks he's a computer person:

"I really miss windows 98. It was a simple, no-frills operating system."
"It didn'

Re:

[Sancho (17056)]

Asking the user for permission to perform administrative actions is good. Asking them 2-3 times per perceived action is bad.

One of the problems I had with early revisions of UAC (I haven't had the pleasure of trying out Vista's final version much) is that it couldn't figure out what the user was trying to do and anticipate it. When creating a new file, I first was asked if I was sure I wanted to create it, then I was asked if I was sure that I wanted to rename it. Hey Vista! It's a NEW FILE! I probably

Re:

[MindStalker (22827)]

You could make the argument that as viruses have been around for a long time MS had a reason from the start to build it right.

Lets say there was no laws governing seat belts. And theoretically after seat belts where already in wide use among the new.. flying cars that a few people drove. Fly Systems finally invents the flying cars for the average Joe. It really takes off and now almost everyone has a Fly System car, but Fly Systems REFUSES to sell cars with seat belts, despite a market demand. Sure you can

Re:

[MightyYar (622222)]

I could see where that would help if the fact that it were an executable was obscured, but in this case the user is PURPOSELY running an executable. They'd take one glance at the message, say, "No shit," and click "Allow".

Besides, Outlook DOES warn you when you try to launch an executable! I just tried to launch VNC, and it says, "WARNING! This file may contain a virus that can be harmful to your computer. You must save this file to disk before it can be opened. It is important to be VERY certain that this

Re:

[mcpkaaos (449561)]

By that logic, should Slashdot be sued by sites that suffer the Slashdot Effect? It is a form of DoS, after all, and Slashdot are obviously aware when it occurs yet do little (mirrors after the fact) or nothing (no mirror at all) to prevent it.

Re:

[Opportunist (166417)]

How is MS responsible for what the user of their system does? Would you drag GM to court if someone used their cars in a terror attack?

I do agree with you that MS should be held responsible for remote exploits and buffer overflows, where the user does nothing and still gets infected. That's a flaw of the system. This (and about 99% of current malware) user user stupidity to infect a system.

Personally, I'd hold a user of a system responsible for what he does with it. If you are stupid enough to click on ever

Re:

[Opportunist (166417)]

That's why I said MS should be held responsible for flaws in their system that allows remote exploits like the RPC exploit that was quite popular before SP2 for XP.

What we're talking here is a guy coming up to you, telling you your car is unsafe and that he needs the car keys to drive it around the block to check if it is in danger and to fix it in his garage. Who should be responsible for that, GM or the cluebrick that hands over his keys?

Wow, good thing

[Grashnak (1003791)]

Good thing I installed that anti virus program that unexpectedly emails me attachments to protect me. Otherwise I'd be in trouble!

I've Gotten It Several Times...

[saudadelinux (574392)]

My officemate got it as the Britney / Paris porn thing twice this week. But she wasn't interested. I got it once. I wasn't interested. I've gotten the "Spyware detected!" with the zip file attached three times: twice at work, and once on my Yahoo! account.

I work at Department of Agriculture, so I'm surprised they didn't install themselves ;-)

I got one, I got one!!!

[sobolwolf (1084585)]

This was an image file so I typed it out to so maybe a nice person with mod points will redeem my terrible Karma... -- Dear Customer, Our Robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of worm which does not have offical patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch becouse the worm can modify unpacked exe files. you should open the archive file, enter the password and run the patch immediately. Password: ugh11 Customer Support Center Robot __________ NOD32 2120 (20070316) Information __________ This message was checked by NOD32 antivirus system. patch-95150.zip - is OK patch-95150.zip > ZIP > patch-95150.exe - error - password-protected file http://www.eset.com/ [eset.com]

Re:

[0100010001010011 (652467)]

At least my spammers are well read. The text that accompanied one of my image spams is as follows:

'Aye, you do indeed,' said Gimli, looking them up and down over the top of his cup. 'Why, your hair is twice as thick and curly as when we parted; and I would swear that you have both grown somewhat, if that is possible for hobbits of your age. This Treebeard at any rate has not starved you.'

I saw one of these yesterday

[jsewell (86485)]

The msg body was a GIF containing text telling me there had been virus activity from my IP and I should run this "patch" to fix it. The "patch" was a zip file they said they had to send as a zip so my "comprimised virus scanner" wouldn't reject it. If I didn't run the patch, my internet access woudld be cut off. All I had to do was unzip and run the patch and all my problems would be solved. HA!

We all had a chuckle at how stupid someone would be to actually do that - then we realized grandma probably would, not knowning any better. All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

waaaait just one second...

[ScentCone (795499)]

All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

Re:

[Rob the Bold (788862)]

Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

Sure, you could write a trojan targeted toward those OSs. And y

Re:waaaait just one second...

[adolf (21054)]

And you could presumably trick users w/o regard to the OS they use. But it's far more likely that the windows user is logged in with full Admin privileges.

But it doesn't matter.

The trojan/worm need not be an administrator to trash a user's computer, even with Linux. Let's use Ubuntu as an example. It can still send mail and propagate just fine as a regular user. It can also trash that user's documents and files (which are likely to be the only important data on the machine). It can use a crontab entry to start a daemon on a high-numbered port, which will run without user interaction, or without them even being logged in. That daemon won't be root, but it will still be capable of being a very proficient zombie.

After that, for good measure, it can just run gksudo and simply ask the user for root permission. Ubuntu users are absolutely content to enter their own password into gksudo whenever prompted, especially when performing updates and patches (as this claims to be). So, the trojan will readily then gain root and be free to run completely amock. Trashing or rooting the OS is the obvious next step, but it's probably not even needed after all of the damage and infiltration already accomplished as a regular user.

Seriously - just because it's not Windows does not mean that it's secure. As long as people are able to run arbitrary programs on their own computers, these types of things will continue to be a problem...no matter what kind of computer it is, and no matter if it has root/administrator priveledges or not.

Re:

[_xeno_ (155264)]

Executables are frequently distributed inside compressed archives (eg, ZIP files) in order to prevent email filters from automatically removing them as "dangerous file types." There are ZIP extensions and TAR natively includes UNIX privileges, so there'd be no need to chmod +x malware, as the decompression utility would do it automatically.

To the best of my knowledge, none of these formats will set the setuid bit, though, so from there you'd either need to get the user to run it as root (sudo malware) or,

Re:I saw one of these yesterday

[cdrguru (88047)]

Wrong - Linux and Mac are completely vulnerable to this type of attack. You go to install something that you were told to do so and it prompts for the root password. The user then types it in and the machine is wide open.

Don't think that would happen? You must be dealing with a better class of users than exist in the wild. Of course it would happen, and happen at such a frequency that it would be just another massive exploit.

Windows is targeted because of market penetration. Why bother with less than 5% when you can get 95% in a single effort?

Just another...

[Billosaur (927319)]

...trap for the unsophisticated Web user. I mean, if you get an email from someone you don't know telling you to update your anti-virus, wouldn't you think that's a little suspicious?

I don't get much spam, because I really don't let my email address float out in the wild, so this kind of thing never bother me. But it just makes me wonder when someone is going to take some initiative and try to build a better system, to minimize the human element as much as possible.

New "Sledgehammer" virus

[jfengel (409917)]

WARNING! Your computer is infected with a virus. This virus could be transmitted to you, and you will die within 24 hours.

Please forward this email to everybody you know, then smash your computer with a sledgehammer. NOTE: you must forward the email BEFORE smashing the computer, not after.

###

I swear to God I think people would actually do that. What the hell can the operating system do if people are willing to save a zip file, type in the password, and then run the contents?

Maybe Microsoft should refuse

Re:

[svendsen (1029716)]

Agreed. You can not make a system to prevent users from shooting themselves in the fool. I mean I can drive my car into a tree, how dare it let me do that!

Re:

[Opportunist (166417)]

Yup, they will. The promise or threat just has to be big enough.

Imagine the promise that this tool is gonna remove all WGA troubles for now and ever. Think people would refuse to burn it to CD, log in as admin, give it all rights and permissions, reboot 10 times and hand over every kind of password they have, including those for EBay, Amazon and their bank account?

Simple problem

[cdrguru (88047)]

If the any computer is not properly administered, it will be compromised by users that don't know any better. They can't possibly be aware of the differences between Microsoft automatically applying updates and other such "software updates" that might be required.

One sort of computer doesn't need to be administered any more than your toaster or TV needs to be administered. If the programming cannot be changed by the user in any way and all it does is read email and browse the web. Period. Maybe play some music sometimes. Ideally, such a device has its programming in ROM (not flash) and cannot be changed in any way. No instructions are ever put on R/W memory, ever. Completely and utterly secure the way your toaster is. How many people have found exploits for a toaster?

Windows is perfectly secure when it is properly set up and administered. The problem is that you can't install software on such a computer and you can run all sorts of fun applications. Gee, isn't that too bad. One solution is to require every user to either (a) switch to a appliance that cannot be compromised, (b) pay the ISP to administer their computer or (c) pass a test to be qualified to have a general-purpose computer connected to the Internet. And yes, the test should be similar to the FCC license for HAM radio: long, incredibly detailed and most people can't pass it without lots of work.

The operating system cannot be made secure from users adding software if they are supposed to add software. But users aren't qualified to add software to their computers and if they are allowed to do so, they will add things that will eventually destroy the ability to use the Internet.

Mail server filters

[TheBracket (307388)]

We have a set of filters in place that scan every incoming message (for viruses, spam, etc.). It looks like in the last 24 hours or so we've blocked a few thousand of these. They seem to be coming from all over the place, with a variety of subject lines. We block any IP that sends us malicious messages more than twice in an hour (the block stays up for 24 hours, I think), so the 2-3,000 we've blocked could be a drop in the ocean - or may not be. That's still a lot more than we get for most incidents like this.

A day in the life of a spam filter

[gvc (167165)]

If the CEAS Live Challenge [slashdot.org] had occurred over the last 24 hours, participants would've had to deal with several copies of this virus. Note how it morphed from news headlines to greeting card lines over the course of the day.

USA Missle Strike: Iran War just have started attach="News.exe"
Israel Just Have Started World War III attach="Video.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Here.exe"
USA Missle Strike: Iran War just have started attach="News.exe"
USA Just Have Started World War III attach="Read More.exe"
Iran Just Have Started World War III attach="Movie.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Me.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Video.exe"
USA Just Have Started World War III attach="News.exe"
I Love You Because attach="flash postcard.exe"
You're In My Thoughts attach="postcard.exe"
You're In My Thoughts attach="flash postcard.exe"
Love Remains attach="Love Card.exe"
Inside My Heart attach="greeting card.exe"
A Kiss So Gentle attach="Postcard.exe"

Trojan is so US centric

[TechyImmigrant (175943)]

It may be a Storm Trojan in the USA, however in the UK it would be called a Storm Durex. Either are good for penetration.

Re:

[Opportunist (166417)]

About 70% of current malware runs on Vista, so I'd give it a good chance.

If it's important to you, I'll check on Monday.

Re:

[cdrguru (88047)]

Except the fool users that already unpacked and executed the file will then just type in the appropriate password when required in order to apply the patch.

There is no chance of this not succeeding with people that have no business being responsible for administering a computer.

Re:It scares me to death!

[Mister Whirly (964219)]

"Once someone smart had said : There's no patch for stupidity"

Sure there is [wikipedia.org]